810a66989b16d6b8005d23e80750031849cdfdd5beded1534b7f2d44cd4352f5

Analysis

max time kernel
105s
max time network
50s
platform
windows7_x64
resource
win7v200430
submitted
04-07-2020 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document_Covid-19_7.xls
Size

85KB
MD5

58b62b641066a1ea49e34a2f711a1854
SHA1

4bf1830ed130fe97e50807b1a4ba4749c8fefe75
SHA256

810a66989b16d6b8005d23e80750031849cdfdd5beded1534b7f2d44cd4352f5
SHA512

82b4f73fe39cedd829178c72774094746bf471ac6d3e740339733045851c8831525a506bf8682c4e0bdcf34a1fac09d263e700c08d14ee1ca0748025c4091cb2

Score

6^/10

Malware Config

Signatures

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

Processes:

DW20.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1392	1064	DW20.EXE	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EXCEL.EXEDW20.EXE

description	pid	process	target process
PID 1064 wrote to memory of 1392	1064	EXCEL.EXE	DW20.EXE
PID 1064 wrote to memory of 1392	1064	EXCEL.EXE	DW20.EXE
PID 1064 wrote to memory of 1392	1064	EXCEL.EXE	DW20.EXE
PID 1064 wrote to memory of 1392	1064	EXCEL.EXE	DW20.EXE
PID 1064 wrote to memory of 1392	1064	EXCEL.EXE	DW20.EXE
PID 1392 wrote to memory of 1428	1392	DW20.EXE	dwwin.exe
PID 1392 wrote to memory of 1428	1392	DW20.EXE	dwwin.exe
PID 1392 wrote to memory of 1428	1392	DW20.EXE	dwwin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dwwin.exe

pid process

1428 dwwin.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1064 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1064 EXCEL.EXE
1064 EXCEL.EXE
1064 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

EXCEL.EXE

pid process

1064 EXCEL.EXE

pid	process
1428	dwwin.exe

pid	process
1064	EXCEL.EXE

pid	process
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE

pid	process
1064	EXCEL.EXE

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Document_Covid-19_7.xls
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
PID:1064

C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1164
2⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\system32\dwwin.exe
C:\Windows\system32\dwwin.exe -x -s 1164
3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\94973.cvr

Download Submit
memory/1392-0-0x0000000000000000-mapping.dmp

Download
memory/1428-1-0x0000000000000000-mapping.dmp

Download
memory/1428-2-0x0000000001E10000-0x0000000001E21000-memory.dmp

Filesize
68KB

Download
memory/1428-4-0x0000000002290000-0x00000000022A1000-memory.dmp

Filesize
68KB

Download